Use function pointer to represent eddsa dom prefix.

6 files changed, 35 insertions, 10 deletions

diff --git a/ChangeLog b/ChangeLog
index aa208c29..bf4c231e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,18 @@
 2020-01-02  Niels Möller  <nisse@lysator.liu.se>
 
-	* eddsa-internal.h (struct ecc_eddsa): Add magic "dom" string,
+	* eddsa-internal.h (nettle_eddsa_dom_func): New typedef.
+	(struct ecc_eddsa): Use function pointer to represent eddsa dom
+	string. To avoid calling sha512_update with empty input for
+	ed25519.
+	* ed448-shake256.c (ed448_dom): New function, calling
+	sha3_256_update with the magic dom prefix.
+	(_nettle_ed448_shake256): Point to it.
+	* ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function.
+
+	* eddsa-sign.c (_eddsa_sign): Update to use dom function pointer.
+	* eddsa-verify.c (_eddsa_verify): Likewise.
+
+	* eddsa-internal.h (struct ecc_eddsa): Add magic dom string,
 	needed for ed448.
 	* ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string.
 	* ed448-shake256.c (_nettle_ed448_shake256): New file and
diff --git a/ed25519-sha512.c b/ed25519-sha512.c
index 09d0f8a5..72c4e517 100644
--- a/ed25519-sha512.c
+++ b/ed25519-sha512.c
@@ -38,11 +38,15 @@
 #include "nettle-types.h"
 #include "sha2.h"
 
+static nettle_eddsa_dom_func ed25519_dom;
+
+static void ed25519_dom(void *ctx UNUSED) {}
+
 const struct ecc_eddsa _nettle_ed25519_sha512 =
   {
     (nettle_hash_update_func *) sha512_update,
     (nettle_hash_digest_func *) sha512_digest,
-    NULL, 0,
+    ed25519_dom,
     ~(mp_limb_t) 7,
     (mp_limb_t) 1 << (254 % GMP_NUMB_BITS),
   };
diff --git a/ed448-shake256.c b/ed448-shake256.c
index 4e54b2c6..25d878f0 100644
--- a/ed448-shake256.c
+++ b/ed448-shake256.c
@@ -39,14 +39,22 @@
 #include "sha3.h"
 
 #define DOM_SIZE 10
-static const uint8_t ed448_dom[DOM_SIZE] =
-  { 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0};
+
+static nettle_eddsa_dom_func ed448_dom;
+
+static void
+ed448_dom(void *ctx)
+{
+  static const uint8_t dom[DOM_SIZE] =
+    { 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0};
+  sha3_256_update (ctx, DOM_SIZE, dom);
+}
 
 const struct ecc_eddsa _nettle_ed448_shake256 =
   {
     (nettle_hash_update_func *) sha3_256_update,
     (nettle_hash_digest_func *) sha3_256_shake,
-    ed448_dom, DOM_SIZE,
+    ed448_dom,
     ~(mp_limb_t) 3,
     (mp_limb_t) 1 << (447 % GMP_NUMB_BITS),
   };
diff --git a/eddsa-internal.h b/eddsa-internal.h
index f7730a38..098ab39c 100644
--- a/eddsa-internal.h
+++ b/eddsa-internal.h
@@ -53,13 +53,14 @@
 struct ecc_curve;
 struct ecc_modulo;
 
+typedef void nettle_eddsa_dom_func(void *ctx);
+
 struct ecc_eddsa
 {
   /* Hash function to use */
   nettle_hash_update_func *update;
   nettle_hash_digest_func *digest;
-  const uint8_t *dom;
-  unsigned dom_size;
+  nettle_eddsa_dom_func *dom;
   /* For generating the secret scalar */
   mp_limb_t low_mask;
   mp_limb_t high_bit;
diff --git a/eddsa-sign.c b/eddsa-sign.c
index a5970e98..05277064 100644
--- a/eddsa-sign.c
+++ b/eddsa-sign.c
@@ -75,7 +75,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
   size = ecc->p.size;
   nbytes = 1 + ecc->p.bit_size / 8;
 
-  eddsa->update (ctx, eddsa->dom_size, eddsa->dom);
+  eddsa->dom (ctx);
   eddsa->update (ctx, nbytes, k1);
   eddsa->update (ctx, length, msg);
   eddsa->digest (ctx, 2*nbytes, hash);
@@ -84,7 +84,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
   ecc->mul_g (ecc, P, rp, scratch_out);
   _eddsa_compress (ecc, signature, P, scratch_out);
 
-  eddsa->update (ctx, eddsa->dom_size, eddsa->dom);
+  eddsa->dom (ctx);
   eddsa->update (ctx, nbytes, signature);
   eddsa->update (ctx, nbytes, pub);
   eddsa->update (ctx, length, msg);
diff --git a/eddsa-verify.c b/eddsa-verify.c
index c4e65d69..a0ffe0c4 100644
--- a/eddsa-verify.c
+++ b/eddsa-verify.c
@@ -106,7 +106,7 @@ _eddsa_verify (const struct ecc_curve *ecc,
   if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0)
     return 0;
 
-  eddsa->update (ctx, eddsa->dom_size, eddsa->dom);
+  eddsa->dom (ctx);
   eddsa->update (ctx, nbytes, signature);
   eddsa->update (ctx, nbytes, pub);
   eddsa->update (ctx, length, msg);